tags:

views:

660

answers:

3
+2  Q: 

How to avoid Windows (Vista) to do "double" webdav requests

We use DIGEST authentication for our WebDAV Access. We observe that Windows clients send each request twice. First request doesn't have Authorization header (and gets 401 response), second request has Authorization header (and usually gets correct response).

While user probably cannot see this, it makes whole Webdav access slower then necessary.

Is it possible to avoid this behaviour somehow? Maybe some special response which will convince Windows not to do this? When we use BASIC instead of DIGEST, it works fine (doing single request only with Authorization header always included)

+2  A: 

I believe that the method you described, which is called a "challenge / response" method, is the intended behavior for WebDAV. At least it is according to the specs. That first request without auth headers is necessary; the response from WebDAV contains a nonce to validate the next request, helping deflect against, for example, replay attacks.

So, bottom line: you can't, and shouldn't try to avoid this behavior.

As to your non-Windows clients that are doing this... it's possible that they're caching and reusing the nonce in some way after an initial challenge / response call. This is certainly allowed in the specs -- even though the nonce is supposed to be a single-use item, the specs allow WebDAV servers to make the nonce short-lived across multiple requests. It's possible that your non-Windows clients are able to recognize your WebDAV server and act accordingly but the Windows clients are not.

In that case, I don't know of a work around other than to ask users to find a client that caches a nonce. Unfortunately, I cannot help you find such a client. My Google-fu has failed in that regard.

Randolpho  2009-03-23 15:11:35
Thank you for extensive answer. Most clients do indeed cache nonce, and reuse it until server says that it is stale (in our case it is after 5 minutes). I didn't realize that behaviour I see can be considered to be "according to the spec" :-(
Peter Štibraný  2009-03-23 15:25:16
I'll google more about windows and caching nonce. If nothing else, you gave me more pointers where to look.
Peter Štibraný  2009-03-23 15:26:06
Well, good luck in that regard. I assume it's just the Windows Vista "Web Folder" option that's part of Explorer. Probably somebody writing it said "why?" and took it out. I'd assume that any non-OS client would cache the nonce.
Randolpho  2009-03-23 15:48:22
But you'd want to test that. :)
Randolpho  2009-03-23 15:48:57
Mac Webdav client caches nonce, and handles stale reply correctly ... doesn't ask user for credentials again. But it also has its own quirks (nicely summarized at http://code.google.com/p/sabredav/wiki/Finder)
Peter Štibraný  2009-03-23 15:58:26
Heh... according to that very wiki, Windows Vista's WebDAV client "a lot less broken" than XP. http://code.google.com/p/sabredav/wiki/Windows
Randolpho  2009-03-23 17:40:33
Btw, Ubuntu webdav client also does these "double requests" :-(
Peter Štibraný  2009-03-24 19:16:59
A: 

You can also research something called "Preauthentication". Preauthentication is sending the first request with an authentication header as opposed to sending an inital anonymous request.

While applications and web services are ideal for this since you typically know beforehand whether authentication is required, you typically don't know if a web site requires authentication beforehand.

WebFolders/WebDAV is a special case, but again, you're not sure.

The issue with preauthentication is that you are potentially sending information to a site that you don't necessarily trust. Basic Authentication would give away the keys to the kingdom (User/password in plain text), however Negotiate, NTLM and Digest aren't so bad.

You can take a look here on preauthenticating in .Net for a web service, which I have used successfully eliminate the initial 401.

Christopher_G_Lewis  2009-03-24 15:11:50
Thank you for your answer. If I understand it correctly, Preauthentication is useful technique when implemented on clients (i.e. client skips first request without auth header). However, I work on server-side, and I don't control clients connecting to the webdav service :-(
Peter Štibraný  2009-03-24 19:16:28
This KB might help http://support.microsoft.com/kb/917557 if you have the ability to switch from Digest to Windows Integrated and Kerberos.
Christopher_G_Lewis  2009-03-25 15:59:55
A: 

If you are struggeling with the Windows WebFolder Client you might want to have a look at this issues list hosted at the greenbytes WebDav site. If you noticed any Vista specific details not contained in the list, please send a note to the editors.

mkoeller  2009-03-26 07:42:03
Thanks. I find Greenbytes webdav site very useful (Julian from greenbytes is also reading SO and answering webdav questions)
Peter Štibraný  2009-03-26 09:48:35

related questions

Verifying files for testing
How do you create your own moniker (URL Protocol) on Windows systems?
Windows Equivalent of 'nice'
Is this a good way to determine OS Architecture?
Dual vs. Quadcore on a Webserver
Is there a WMI Redistributable Package?
PHP Error - Uploading a file
Ruby On Rails with Windows Vista - Best Setup?
OpenVPN Config file to prevent timeout
How can I create Debian install packages in Windows for a Visual Studio project?
How do I configure and communicate with a serial port?
What's the best setup for Mono development on Windows?
Appropriate pagefile size for SQL Server
XML Editing/Viewing Software
Linux shell equivalent on IIS
What is a better file copy alternative than the Windows default?
Windows Help files - what are the options?
Heap corruption under Win32; how to locate?
Best way to access Exchange using PHP?
Get a preview jpeg of a pdf on windows?
WinForms ComboBox data binding gotcha
How do you schedule tasks in Windows?
Register Windows program with the mailto protocol programmatically
Embedding Windows Media Player for all Browsers
Best Subversion clients for Windows Vista (64bit)